Breaking the OODA Loop!

The OODA loop is a well established concept often used in security which originated in the military. OODA stands for Observe, Orient, Decide, Act.

OODA is an iterative process because after each action you need to observe your results and any new opposing action. The idea is that if you can consistently get to the action faster than your opponent you can beat them. It is typically described using an airplane dogfight analogy – airplanes try to turn more quickly and sharply than their opponent in order to get off a shot. But, as you turn faster and faster the g-forces build and at this point the ever faster OODA loop is more like a centrifuge crushing us. We need to break out of the loop and find a new way to play the security game.

Lately, every time I hear about the OODA loop I think of the Ouroboros, a snake eating its own tail. Defenders react faster, so attackers do too and they get sneakier, and so on and so on. Like many similar technological races it is hard to get more than an incremental and temporary advantage. It seems to take an enormous amount of effort and money to make even the smallest improvements, and even the biggest and best prepared companies are still regularly falling victim to cyber attacks. It takes revolutionary improvements to make substantial differences to the balance between attackers and defenders.

Consider a typical OODA loop scenario. An attacker sends a phishing email, and someone clicks on a link to a bad website which infects the user’s computer. At some point that attack is detected (observed), often well after the attacker has had a chance to move horizontally through the organization and establish a presence. The victimized enterprise then turns their attention to gathering more data about what has happened and which systems have been compromised, and quickly decides on a plan of action. Finally they start to try to clean up infected systems and prevent further compromise. Of course the attacker may notice that they have been observed and start taking counter measures at the same time.

How much better would it be if many of these attacks could be stopped or remediated without detection? Could we skip the “OOD” in most cases and move directly to Acting frequently and repeatedly? That can only work if the cost of remediating potentially infected systems can be reduced by many orders of magnitude. Conventionally it might take an IT person an hour or more to clean up a single desktop. If we want to do that every day on every machine, or maybe more often, the cost has to be almost zero.

Virtualization and containerization make it possible to automate this kind of process very effectively. Images of the system, component, or application can be created in a known good and clean condition. The VM or container can be quickly, easily, and cheaply deleted and re-created from that image. That efficiency makes it possible to take this remediation action quite frequently. It is common for such systems to restart the image daily and some do so every few minutes.

Another advantage of bypassing the observe/detect phase is the ability to be secure in the face of undetectable malware. Current generation security tools have a dismal track record for detecting sophisticated attacks. Web interactions require scanners to allow or deny content in milliseconds making detection particularly difficult. With automated restart of the images, all malware gets cleaned up, including the stuff that managed to evade all the scanners.

Virtualization or containerization of small individual applications provides many advantages over virtualizing the whole system. Isolating individual applications limits the amount of data and resources at risk between the time of any infection and when it is remediated. Strict isolation of the application from file systems, networks, and hardware prevents attacks from reaching their objectives of capturing information or inflicting damage.

Applications are too large, too complex, and evolve too quickly to be free of major vulnerabilities any time soon. And attackers continue to develop new tools and techniques to evade immediate detection. This has resulted in businesses spending untold sweat and treasure trying to race faster and faster around an ever tightening OODA loop. If they continue they will be eating themselves alive like the mythical snake.

Isolating those vulnerable applications in highly restricted boxes which are then frequently destroyed and rebuilt whether or not anything has been detected, is an important approach for robust security and survivability in today’s modern threat environment. It can allow us to break out of the OODA loop and cut straight to taking effective action.

Lance Cottrell founded Anonymizer in 1995, which was acquired by Ntrepid (then Abraxas) in 2008. As Chief Scientist, Lance continues to push the envelope with the new technologies and capabilities required to stay ahead of rapidly evolving threats. Lance is a well-known expert on security, privacy, anonymity, misattribution and cryptography. He speaks frequently at conferences and in interviews. Lance is the principle author on multiple Internet anonymity and security technology patents. He holds an M.S. in physics from the University of California, San Diego and a B.S. in physics from the University of California, Santa Cruz. In his spare time Lance grows high-end pinot noir grapes in the Russian River Valley AVA.